For some of us, sending an email to more than three recipients can be a nightmare experience.

If you don’t like communicating electronically with more than one person at a time, then spare a thought for HD Moore.

While most of the world spent the past year just drifting through life, he took that time to message every internet-connected device on the planet.

Some people take up jogging but the computer security expert from Austin, Texas, decided to indulge in a different hobby: getting in touch with the internet. Everyone on the internet.

In order to carry out a survey that would examine the flaws which make us vulnerable to cyber attacks, Moore messaged almost 4billion Internet Protocol (IP) addresses belonging to our devices, getting replies from 310m of them.

The goal was to collate a mountain of data and then go through it to determine what security flaws exist which leave individuals and businesses exposed to online criminals.

Moore is chief research officer at security company Rapid7 but he devoted his free time to his experiment. In February 2012, he built and set up an automated scanning system of the internet, which ran until last month and produced 11m new records every day.

Within those records were some worrying findings. He discovered that millions of internet-connected devices are vulnerable to security breaches and could be controlled by criminals.

According to the study, attackers could potentially access company servers to gain individuals’ personal details. Other vulnerabilities could allow criminals to gain control of certain infrastructure, from traffic lights to factories to oil pipelines.

‘Off-hand, at least 100m devices are directly connected to the internet and expose a common security weakness,’ Moore told Metro.

‘The surprising part wasn’t the type of systems exposed, but the sheer number of them and the concentration of vulnerable systems by geography and industry.

‘Folks who have worked in security for a long time expect to see bad things on the internet, but the scale and potential impact has surprised most of the folks I have spoken with about the project.’

Additional research carried out by Rapid7 found that there are more than 114,000 vulnerable serial port servers – devices which connect industrial control systems to the internet. This could have serious implications, Moore warned.

‘A criminal bent on destruction could disable monitoring systems attached to traffic signals, change the calibration settings on oil pipeline monitors and disable systems that provide connectivity to remote sites. The devices found ranged from traffic signal monitors to oil and gas field equipment.’

He said the research had identified flaws in the point-of-sale systems for a dry cleaning chain, the routers of a US internet service provider (ISP) and the virtual private network (VPN) of an oil company.

‘We found that many of the ships we could identify were not visible on public trackers,’ said Moore.

‘The real risk is that many of the devices exposing AIS streams to the internet are themselves vulnerable to attack and could expose the owner’s network to further compromise.’

But isn’t there a danger that highlighting these weaknesses merely draws attention to them and gives criminals ideas?

‘The challenge of disclosure is balancing the need for public awareness with the chance that a criminal will use the same information as part of a future attack,’ admitted Moore.

‘My personal view is that making this type of information widely available is the only way to realistically address the problem. Telling an organisation that the system they use is vulnerable is one thing, but knowing that everyone else has the same information often prompts them to act sooner versus later.’

Getting in touch with everything on the internet isn’t without its obstacles. Scanning machines were set up in Chicago, while the two servers which processed all the data were housed more than 1,000 miles away in Moore’s home office in Austin.

The servers – costing about $10,000 (£6,400) each – were built using low-cost parts over a period of two years and consumed about $200 (£130) a month of electricity during the project. The scanners cost about $1,000 (£640) a month to operate. Gathering the equipment was the easy part, however.

‘The biggest challenge with mapping both phones and computer networks is the sheer amount of resources it requires to gather information, store it, and process it,’ explained Moore.

‘I have started a handful of projects over the years designed to catalogue a specific facet of internet-facing systems, but it wasn’t until recently that it became feasible to do this type of analysis comprehensively at a global scale.

‘The IPv4 internet consists of a little more than 4bn possible addresses. Of these 4bn, only about 3.7bn can actually be used, and scanning them is simply a matter of starting at 1 and going to 3.7bn.’

But it wasn’t the financial hit which took the most effort.

‘The real cost was the time it took to handle abuse complaints, exclude networks based on “opt-out” requests and generally keep the whole system running,’ said Moore.

‘Quite a few network administrators take issue with someone scanning their systems. Over the life of the project, I received over 3,000 complaints, many of them phrased as threats rather than simple requests to exclude the network in question. Every exclusion request was honoured and I ended up making a few friends in the process.’

Moore said the software industry’s security track record is poor, with botnets and worms both being given space to thrive, but he called on more traditional companies to tighten up their online practices.

‘Over the last 15 years, most consumer-focused software companies – Microsoft, Adobe, Mozilla etc. – have had to make significant investments into security programs and security response just to keep up.

‘By contrast, verticals such as public utilities, oil and gas transport and healthcare have not had the same external pressure. The gap between modern Windows desktop security and an industrial control system, security-wise, is as big as ever.

‘The only effective way to convince the vendors and operators to improve the situation is to clearly demonstrate the risk of the status quo. This transforms the issue from one of awareness to one of negligence.’